Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
AWS Certified Solutions Architect ??? Associate Guide

You're reading from   AWS Certified Solutions Architect ??? Associate Guide The ultimate exam guide to AWS Solutions Architect certification

Arrow left icon
Product type Paperback
Published in Oct 2018
Publisher Packt
ISBN-13 9781789130669
Length 626 pages
Edition 1st Edition
Tools
Arrow right icon
Authors (2):
Arrow left icon
Stuart Scott Stuart Scott
Author Profile Icon Stuart Scott
Stuart Scott
Gabriel Ramirez Isaias Ramirez Melgarejo Gabriel Ramirez Isaias Ramirez Melgarejo
Author Profile Icon Gabriel Ramirez Isaias Ramirez Melgarejo
Gabriel Ramirez Isaias Ramirez Melgarejo
Arrow right icon
View More author details
Toc

Table of Contents (26) Chapters Close

Preface 1. Introducing Amazon Web Services FREE CHAPTER 2. AWS Global Infrastructure Overview 3. Elasticity and Scalability Concepts 4. Hybrid Cloud Architectures 5. Resilient Patterns 6. Event Driven and Stateless Architectures 7. Integrating Application Services 8. Disaster Recovery Strategies 9. Storage Options 10. Matching Supply and Demand 11. Introducing Amazon Elastic MapReduce 12. Web Scale Applications 13. Understanding Access Control 14. Encryption and Key Management 15. An Overview of Security and Compliance Services 16. AWS Security Best Practices 17. Web Application Security 18. Cost Effective Resources 19. Working with Infrastructure as Code 20. Automation with AWS 21. Introduction to the DevOps practice in AWS 22. Mock Test 1
23. Mock Test 2
24. Assessment 25. Another Book You May Enjoy

Shared security model

This model is the way AWS frees the customer from the responsibility of establishing controls at the infrastructure, platform, and services levels by implementing them through their services. In this sense, the customer must provide full control of implementation in some cases, or work in a hybrid model where the customer provides their own solutions by complementing existing ones in the cloud:

The previous diagram shows that AWS is responsible for the security of the cloud; this involves software and hardware infrastructure and core services. The customer is responsible for everything in the cloud and the data they are the owner of.

To clarify this model, we will use a simple web server example and explain for every step which controls are in place for the customer and for AWS:

To create our web server, we will create an instance.

In the EC2 console choose Launch Instance:

Following are the details of the instance:

AWS/customer

  • In this example, let's create an instance (1); this image (Amazon Linux AMI) is managed by AWS, and it is security hardened, and it comes preconfigured from software packages from only trusted sources
  • Instances run isolated from other clients by virtual interfaces that run on a custom version of the Xen hypervisor
  • Every disk block is zeroized and RAM memory is randomized

The previous example is an example of an inherited control (virtualization type) and a shared control (virtual image).

The highlighted components represent the ones relevant for this example.

The next screen is for the configuration of the network attributes and the tenancy mode:

The following are the details of instance configuration:

AWS

Every instance runs in a virtual private cloud (Network) (1); the network is an infrastructure-protected service, and the customer inherits this protection, which enables workload isolation to the account level.

Customer

Is possible to segregate the network by means of public and private subnetting, route tables function as a traffic control mechanism between networks, service endpoints, and on-premises networks.

Customer

Identity and Access Management is the service dedicated to user management and account access.

IAM Roles are meant to improve security from the customer perspective by establishing trust relationships between services and other parties. EC2AccessToS3Role (2) will allow an instance to invoke service actions on S3 securely to store and retrieve data.

AWS/customer

The Tenancy property (3) is a shared control by which AWS implements security at some layers and the customer will implement security in other layers. It is common to run your instance in shared hosts (multi-tenant), but it can be done on a dedicated host (single tenant); this will make your workloads compliant with FIPS-140 and PCI-DSS standards.

The virtual private cloud (VPC) is an example of an inherited control, since AWS runs the network infrastructure; nevertheless, segmentation and subnet configuration is an example of a hybrid control, because the client is responsible for the full implementation by performing a correct configuration and resource distribution.

IAM operations are customer-related, and this represents a specific customer control. IAM roles and all the account access must be managed properly by the client.

Making use of dedicated resources is an example of shared controls. AWS will provide the dedicated infrastructure and the client provides all the management from the hypervisor upwards (operating system, applications).

The highlighted components represent the ones relevant for this example. Add a persistent EBS volume to our EC2 instance:

Security at rest for EBS with KMS cryptographic keys

AWS/customer

EBS volumes can be ciphered on demand by using cryptographic keys provided by the Key Management Service (KMS); this way all data at rest will be kept confidential

The EBS encryption attribute is an example of a shared control, because AWS will provide these facilities as part of EBS and KMS services, but the client must enable this configuration properties because by default, disks are not encrypted. The customer has the ability to use specific controls such as Linux Unified Key Setup (LUKS) to encrypt EBS volumes with third-party tools:

The highlighted components represent the ones relevant for this example.

Create a security group to filter the network traffic:

Detail:

AWS/customer

Security groups act as firewalls at the instance level, denying all inbound traffic and opening access only by customer-specified IPs, networks, ports, and protocols. It is a best practice to compartmentalize access by chaining multiple security groups restricting access on every layer. In this example, we create only one security group for the web server in which will be allowed HTTP traffic from any IP address (0.0.0.0/0) and restricted access via SSH only from a management machine—in this case, my IP.

This is a hybrid control because the function of network traffic filtering is from AWS, but the full implementation is given by the customer through the service API:

The highlighted components represent the ones relevant for this example.

Create a key pair to access the EC2 instance:

Detail:

AWS/Customer

Every compute instance in EC2, whether Linux or Windows, is associated with a key pair, one public key and one private key. The public key is used to cipher the login information of a specific instance. The private key is guarded by the customer so they can provide their identity through SSH for Linux instances. Windows instances use the private key to decrypt the administrator's password.

This is a shared control because the customer and AWS keep responsibility for the guarding of these keys and avoid third-party access that does not have the private key in their possession:

The last step has a dual responsibility:

  • The customer must protect the platform on which the application will be running, their applications, and everything related to the identity and access management from the app of the middleware perspective.
  • AWS is responsible for the storage and protection of the public key and the instance configuration.
You have been reading a chapter from
AWS Certified Solutions Architect ??? Associate Guide
Published in: Oct 2018
Publisher: Packt
ISBN-13: 9781789130669
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image